System And Method For Connection Of Hosts Behind NATs

ABSTRACT

Disclosed is a system and method for connection of host behind network address translators. The system includes a server placed in a public network, and a transparent middleware (TMW). The server records the related data between each host and one or more NAT devices. The TMW may be performed in each host. When a first host of a first NAT device tries to establish connection to a second host of a second NAT device, through the server, the TMW looks up a first IP address mapping from the first host to the second NAT device, and a second IP address mapping from the second host to the first NAT device. Accordingly, the TMW accomplishes the support for establishing connection between the first and the second hosts.

FIELD OF THE INVENTION

The present invention generally relates to a system and method fornetwork address translation (NAT), and more specifically to a system andmethod for connection of hosts behind NATs.

BACKGROUND OF THE INVENTION

With the growth of the Internet, problems reveal the shortage of IPv4'saddress space. As more and more computer hosts are connecting into theInternet, the speedy growth rate makes IPv4's 32-bit addresses spacedepletion. To mitigate the problem, Network Address Translator (NAT) isdesigned to reuse part of IPv4's addresses. These reusable addresses arecalled private IP addresses to distinguish from other globally uniquepublic IP addresses. Multiple hosts behind NAT can use private IPaddresses to form a private network and share with one or few public IPaddresses via the address/port translating of NATs. In a NAT, an IPmapping table records the translating rule between the private IPaddresses/port and public IP addresses/port. This table directs the NATto translate the inbound and outbound traffic. In consequence, the sameprivate IP addresses can be reused in different private networks and theproblem of IPv4 address's shortage can be alleviated.

FIG. 1 shows an exemplary schematic view of a host behind NAT tocommunicate with external web server host through NAT. Referring to FIG.1, a host 103 behind a NAT device 101 transmits an outbound packetthrough the NAT device 101 to the external web server host 105 on theInternet. NAT device 101 must translate the source IP address of theoutbound packet from private IP address, such as 192.168.50.100, topublic IP address, such as 140.116.175.55 before sending the outboundpacket to the Internet. Then, NAP IP mapping table 110 of NAT device 101records the IP address and the port numbers of the source IP address anddestination IP address, such as [192.168.50.100:44244=>168.95.1.1:80].

When NAT device 101 receives an inbound packet from web server host 105on the Internet, according to NAT IP mapping table 110, NAT device 101translates the destination IP address of the packet, i.e.,140.116.177.55, to the corresponding private IP address, i.e.,192.168.50.100. If there is no corresponding private IP address in NATIP mapping table 110, the inbound packet will be dropped by the NATdevice 101.

Typically, NAT devices may be classified into two types. The first typeis the cone-based NAT, and the second type is symmetric NAT. Thedifference between the two types is in the mapping rule of port numberfor the outbound packets. A public IP address/port in the cone-based NATmay map to a plurality of private IP addresses/ports, while the mappingrule of the symmetric NAT is limited to one-to-one mapping.

The cone-based NAT may be further classified into full-cone NAT,restricted-cone NAT and port restricted-cone NAT. The major differenceamong the three is the way of NAT device filtering inbound packets.

FIG. 2A shows a schematic view of an exemplary operation of a full-coneNAT. Host A is behind a NAT and connect with host C which is in thepublic network. Full-cone NAT device 201 first translates the private IPaddress/port [IPa, Pa] of the packet from host A to public IPaddress/port [IPna, Pa]. NAT device 201 then combines public IPaddress/port [IPna, Pa] with public IP address/port [IPc, Pc] of host Cto form [IPna, Pa; IPc, Pc]. Therefore, host B and host D in the publicnetwork may send packet with public IP address/port [IPna, Pa], and thepacket will forward to host A behind NAT device 201.

FIG. 2B shows a schematic view of an exemplary operation of arestricted-cone NAT. The operation of restricted-cone NAT device 211 issimilar to that of full-cone NAT device 201. They are different solelyin term of restrictions to particular source IP address. As shown inFIG. 2B, only host C on the public network may establish connection tohost C behind NAT device 211; that is, even when host C changes portnumber from Pc to Pc₁. In fact, host B and host D in the public networkcannot establish connection to host A. The restricted-cone NAT mayprovide the host behind NAT more privacy and protection.

FIG. 2C shows a schematic view of an exemplary operation of the portrestricted-cone NAT. The port restricted-cone NAT has more restrictionson operation than previous NAT devices. As shown in FIG. 2C, if host Cin the public network changes port number from Pc to Pc₁, the packettransmitted to host A behind Nat device 221 will be dropped by NATdevice 221 because the change of the port number connected to portrestricted-cone NAT device 221.

FIG. 2D shows a schematic view of an exemplary operation of thesymmetric NAT. The difference between the operation of the symmetric NATand that of the port restricted-cone NAT is the binding rule on the portnumber of the outbound packet. As shown in FIG. 2D, in symmetric NAT,each network connection has different binding rule of port number. Forexample, host A behind symmetric NAT device 231 may send a packet withpublic IP address/port [IPna, Pa] to host C in the public network andthe public IP address/port [IPna, Pa] is combined with public IPaddress/port [IPc, Pc] of host C behind external NAT, correspondingly,host C may uses address IPc and port number Pc to send the packet tohost A behind NAT device 231.

Although NAT allows the hosts to reuse the same IP addresses, there isnegative impact. NAT device has to set up the translation rule beforethe connection establishment, only the host behind NAT may be theoriginating host and the host in the public network can be theterminating host. This means that it is impossible to define serverbehind the NAT device, and also impossible to establish connectionsbetween two hosts behind two different NATs. It violates the end-to-endconnectivity model of the Internet. If the server or the host at bothends is behind NAT, the network application is not inherited because ofthe hindrance from NAT deployment.

To solve the above problem, a possible solution is to use relay approachor the hole punching approach for the external server. The relayapproach is a typical NAT traversal method. This approach solves theproblem by means of a relay server located in the public network. Aftereach end host has established the connection with the relay server inthe public network, all the packets will be forwarded by the server. Inthis manner, the detoured data path will consume extra network resourceand the packet delivery suffers longer transmission time.

The hole punching approach is to let hosts behind NAT device toestablish connection directly. Both end hosts send out a packet toregister with NAT mapping table before establishing the connection. Forexample, the Simple Traversal of UDP through NATs and TCP (STUNT) is awell-known hole punching approach. Before the direct TCP connection,both ends of TCP connection must send out an SYN packet to other endsimultaneously. This hole punching approach defines certain coordinateprocesses. Although this approach is an efficient method of NATtraversal, applications have to be modified or redesigned one by one toadapt to this coordinate process for integration.

SUMMARY OF THE INVENTION

The disclosed exemplary embodiments of present invention may provide asystem and method for connection of hosts behind NATs.

In an exemplary embodiment, the disclosed is directed to a system forconnection of hosts behind NATs. The system comprises a server locatedin a public network for receiving the registration of each host andrecording the related information of each host and at least a NATdevice; and a transparent middleware (TMW) executed on each hostrespectively. When a first host of a first NAT device tries to establishconnection to a second host of a second NAT device, through the server,the TMW looks up a first IP address mapping from the first host to thesecond NAT device, and a second IP address mapping from the second hostto the first NAT device. Accordingly, the TMW accomplishes the supportfor establishing connection between the first and the second hosts.

In another exemplary embodiment, the disclosed is directed to a methodfor connection of hosts behind NATs. The method comprises a receivinghost and a transmitting host registering through TMW to the server; thetransmitting host requesting to the server for the private IP addressinformation of the receiving host; the server replying the private IPaddress information of the receiving host to the transmitting host; thetransmitting host requesting to the server for the IP addressinformation of the receiving NAT device; the server replying the IPaddress information of the receiving NAT device to the transmittinghost; and TMW transmitting the IP address information of thetransmitting NAT device to the receiving host.

The aforementioned embodiments are applicable to the situation whenhosts behind NATs try to establish connection. For example, the externalhost tries to establish the connection to a host behind NAT, or hostsbehind different NATs try to establish connection with each other.

The foregoing and other features, aspects and advantages of the presentinvention will become better understood from a careful reading of adetailed description provided herein below with appropriate reference tothe accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows an exemplary schematic view of a host behind a NATcommunicating through NAT with a server host outside of the NAT.

FIG. 2A shows a schematic view of an exemplary operation of a full-coneNAT.

FIG. 2B shows a schematic view of an exemplary operation of arestricted-cone NAT.

FIG. 2C shows a schematic view of an exemplary operation of a portrestricted-cone NAT.

FIG. 2D shows a schematic view of an exemplary operation of a symmetricNAT.

FIG. 3 shows a schematic view of an exemplary NAT system, consistentwith certain disclosed embodiments.

FIG. 4 shows a schematic view of an exemplary operation of NAT,consistent with certain disclosed embodiments.

FIG. 5 shows a schematic view of an exemplary TCP 3-way handshakeprotocol, consistent with certain disclosed embodiments.

FIG. 6 shows a schematic view of an exemplary registration process,consistent with certain disclosed embodiments.

FIG. 7 shows a schematic view of an exemplary operation of a hostrequesting a DNS IP lookup, consistent with certain disclosedembodiments.

FIG. 8 shows a schematic view of an exemplary operation of a NAT systemapplied in TCP mode, consistent with certain disclosed embodiments.

FIG. 9 shows a schematic view of an exemplary operation of a NAT systemapplied in UDP mode, consistent with certain disclosed embodiments.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 3 shows a schematic view of an exemplary NAT system, consistentwith certain disclosed embodiments. The NAT system is applicable toestablishing connection between two hosts behind NAT device, such as, anexternal host trying to connect to a host behind a NAT device, or twohosts behind difference NAT devices trying to establish connection.

In FIG. 3, for example, first host 30A and second host 30B are behindfirst NAT device 33 a and second NAT device 33 b respectively. Hosts 30Aand 30B try to establish connection.

Referring to FIG. 3, the NAT system comprises a server 35 and atransparent middle (TMW) 31. Server 35 is located in a public networkfor receiving the registration of first host 30A and second host 30B,and recording related information of each host and each NAT device. Therelated information may include domain names of first host 30A andsecond host 30B, the IP address/port mapping of first host 30A and firstNAT device 33A, and the IP address/port mapping of second host 30B andsecond NAT device 33B. TMW 31 may be executed on first host 30A andsecond host 30B, respectively.

In the example of FIG. 3, when first host 30A and second host 30B try toestablish connection to each other, first host 30A and second host 30Bexecute TMW 31 respectively. TMW 31 inquires through server 35 of the IPaddress mapping between first host 30A and second NAT device 33B, andthe IP address mapping between second host 30B and first NAT device 33A,and accomplishes the support of establishing connection between firsthost 30A and second host 30B.

The system is applicable to a first NAT device different from a secondNAT device, and the first host and the second host behind the first NATdevice and the second NAT device, respectively. The system is alsoapplicable to the case when the first NAT device and the second NATdevice, and the first host and the second host are behind the same firstNAT device.

TMW 31 may be installed at the kernel level or the user level of thehost. When installed at the kernel level, TMW 31 is to rewrite packetdriver. When installed at the user level, TMW 31 may use the driversocket routine.

First host 30 a and second host 30B, for example, may be a notebook PC,desktop PC, a server or any combination of the above.

Labels 401-406 shown in FIG. 3 indicate the operation flow of NAT, whichwill be described in detailed in FIG. 4. The following descriptionrefers to FIGS. 3-4.

Step 401 is the registration activity. That is, first host 30A andsecond host 30B register to server 35. The registration activity makesserver 35 check whether both first host 30A and second host 30B areonline and makes server 35 check the uniqueness of the information offirst host 30A and second host 30B in the public network where server 35resides. The information may be such as IP address/port and domain name.Each host uses own IP address to register a domain name to any domainname system (DNS), and uses the domain name to register to server 35.The detailed registration process is described in FIG. 6.

Step 402 indicates sending a request to inquire of the private IPaddress of second host 30B. That is, first 30A may use the domain nameof second host 30B to send a request to server 35 to inquire of theprivate IP address of second host 30B. For example, first host 30A maysend a DNS request packet with the domain name of second host 30B toserver 35.

Step 403 indicates replying the private IP address of second host 30B.That is, server 35 replies the private IP address information to firsthost 30A. For example, according to the domain name of second host 30B,server 35 may execute a DNS inquiry and find the private IP address/portof second host 30B.

Step 404 indicates sending a request to inquire of the IP address of theNAT device. That is, according to the private IP address information ofsecond host 30B, TMW 31 on first host 30A send a request to inquire theIP address of the NAT device to server 35. For example, TMW 31 may sendan IP lookup query packet with the information of the private IPaddress/port of second host 30B.

If in TCP mode, after first host 30A receives the DNS reply from server35 (step 403), first host 30A will send a SYN packet with the IP addressinformation of the second host to second host 30B. Therefore, theaforementioned IP lookup query packet may also include the informationin SYN packet send by first host 30A, such as TCP packet serial number.The details of this process will be described in FIG. 7.

Step 405 indicates replying the IP address of second NAT device 33B.That is, server 35 replies the IP address of second NAT device 33B tofirst host 30A. For example, server 35 may reply an IP lookup replypacket to TMW 31 of first host 30A to inform of the IP addressinformation of second NAT device 33B.

Step 406 indicates replying the IP address of first NAT device 33A. Thatis, server 35 replies the IP address of first NAT device 33A to secondhost 30B, and sends a connect request packet to second host 33B. Theconnect request packet may include the IP address/port information offirst NAT 33A, as well as the information of the SYN packet sent byfirst host 30A.

The above steps 401-406 describe how the transparent traversal for NATsystem supports the connection establishment between two hosts behinddifferent NAT devices.

In other words, the connection support may include: receiving host andtransmitting host both registering to the server through TMW; thetransmitting host sending request for private IP address of receivinghost to the server; the server replying the private IP address ofreceiving host; the transmitting host sending request for IP address ofreceiving NAT device to the server; the server replying the IP addressof receiving NAT device to transmitting host; and TMW sending IP addressof transmitting NAT device to receiving host.

After finishing steps 401-406, first host 30A behind first NAT device33A and second host 30B behind second NAT device 33B successfullyestablish connection. Then, first host 30A and second host 30B maytransmit data to each other directly.

Thereby, TMW 31 of first host 30A records the mapping between theprivate IP address/port of second host 30B and the IP address/port ofsecond NAT device 33B. Similarly, TMW 31 of second host 30B records themapping between the private IP address/port of first host 30A and the IPaddress/port of first NAT device 33A.

According to the disclosed embodiments, first host 30A and second host30B may execute TMW 31 respectively. The existing architecture andapplication programs on first host 30A and second host 30B, such asclient/server or peer-to-peer (P2P) architecture, may directly connectwithout rewriting.

If the packets are transmitted in the TCP mode, first host 30A andsecond host 30B may accomplish the 3-way handshake protocol to establishthe connection acknowledgement. FIG. 5 shows a schematic view of anexemplary TCP 3-way handshake protocol, consistent with certaindisclosed embodiments.

Referring to FIG. 5, after first host 30A receives the IP address ofsecond NAT device (step 405), first host 30A may send a low time to live(TTL) initialization SYN packet to second NAT device 33B. The SYN packetmay be expressed as SYN(X, low TTL), where X is the sequence number ofthe TCP packet. Because the initialization SYN packet has a low TTL,first host 30A will receive an Internet control message protocol (ICMP)packet with exceeding TTL, expressed as ICMP (TTL-exceeded).

First host 30A then sends an encapsulated SYN packet (EncapsulatedSYN(X)). Encapsulated SYN(X) includes the sequence number ofinitialization SYN packet, and is transmitted to second host 30B throughserver 35. When receiving this request packet, TMW 31 of second host 30Bwill generate an issue SYN packet with sequence number X (Issue SYN(X))according to sequence number X of the initialization packet, andtransmit Issue SYN(X) to the TCP layer of second host 30B, as indicatedin label 501.

After receiving SYNACK(Y, X+1) packet, first host 30A replies an ACKpacket to second host 30B. At this point, the TCP 3-way handshakeprotocol is accomplished.

According to the disclosed embodiments of the present invention, in step501 of the TCP 3-way handshake protocol, TMW 31 of second host 30Bgenerates Issue SYN(X) packet and transmits to TCP layer, the IssueSYN(X) packet does not need to go through the external network. In otherwords, the packet will not be filtered by the routers of the externalISP.

FIG. 6 shows a schematic view of an exemplary process for a hostregistration to the server, consistent with certain disclosedembodiments. The following description refers to both FIG. 3 and FIG. 6.The registration process includes three steps, indicated as labels601-603.

Label 601 indicates sending registration related information of firsthost 30A to server 35. TMWS 31 of first host 30A first searches for theprivate IP address of first host 30A, such as 192.168.50.100, and thedomain name, such as DNA. Then, TMW 31 randomly selects a contact portnumber CPort and generates a registration packet, such as Registry(192.168.50.100, DNA). The registration packet may include the privateIP address, such as 192.168.50.100, of first host 30A, Cport, such as1111, and domain name, such as DNA. TMW 31 transmits the registrationpacket to server 35.

Label 602 indicates server 35 checks the uniqueness of the relatedinformation of first host 30A. After server 35 receives the registrationpacket from first host 30A, server 35 checks with registry database 61to determine whether the registration information (private IP address,Cport, and domain name) of first host 30A is unique, and obtains theregistration result reply(1/0), where reply(1) indicates a successfulregistration, and reply(0) is a failure. The registry database may bestored in server 35.

Label 603 indicates server 35 replies the registration result to fisthost 30A. If the registration is successful, server 35 replies a“registry reply(1)” packet, and stores the registration information offirst host 30A in registry database 61, such as IP address, Cport,domain name and IP address of first NAT device.

If the registration is unsuccessful, server 35 replies a “registryreply(0)” packet, and TMW 31 randomly selects a new Cport again, andrepeats the above steps 601-601 until the registration information offirst host 30A is unique.

After both first host 30A and second host 30B register successfully,because NAT devices 33 a, 33B have the capability of keeping packetalive so that during the period of packet alive, TMW 31 may stillmaintain connection to Cport for transmitting packets to server 35.

As aforementioned steps 402-403, according to domain name of second host30B, first host 30A may send a request for inquiry of the private IPaddress of second host 30B to server 35. According to the domain name ofsecond host 30B, server 35 may execute a DNS query to find the privateIP address/port of second host 30B. Server 35 will record the relationbetween first host 30A and second host 30B. FIG. 7 further shows aschematic view of an exemplary operation of a host requesting a DNS IPlookup, consistent with certain disclosed embodiments.

Label 701 indicates that first host 30A sends a DNS request packet toserver 35. The DNS request packet includes domain name DNB of secondhost 30B and private IP address of first host 30A added by TMW 31, suchas 192.168.50.100, and port, such as 1111. The DNS request packet can beexpressed as “DNS (DNB, 192.168.50.100.1111)”. TMW 31 of first host 31sends the DNS request packet to server 35.

Label 702 indicates that server 35 sends a query packet of domain nameDNB of second host 30B “Lookup(“DNB”)” to registry database 61.

Label 703 indicates if registry database 61 has no record of domain nameDNB of second host 30B, registry database 61 replies a “Lookup reply(0)”packet to server 35. Server 35 sends another packet with domain name ofsecond host 30B to another DNS for lookup.

Label 704 indicates if registry database 61 includes a record of domainname DNB of second host 30B, server 35 generates a new DNS responsepacket with private IP address/Cport of second host 30 b, such as “DNSreply(192.168.50.100, 2222)”, and transmits to first host 30A. Therelated information of first host 30A and second host 30B, such asprivate IP address/Cport of first host 30A, IP address of first NATdevice 33A, private IP address/Cport of second host 30B, and IP addressof second NAT device 33B, will be recorded in IP lookup database 71. Thepacket format may be expressed as “Storage Lookup(192.168.200.100,140.116.177.55, 2222, 192.168.50.100, 140.116.72.94, 1111)”.

Data transmission may be divided into two modes, i.e., in TCP mode andin UDP mode. The following describes exemplary operations in TCP modeand in UDP mode respectively for the disclosed NAT system withtransparent traversal.

FIG. 8 shows a schematic view of an exemplary operation of a NAT systemapplied in TCP mode, consistent with certain disclosed embodiments.Referring to FIG. 8, in TCP data transmission mode, first host 30Abehind first NAT device 33A and second host 30B behind second NAT device33B execute TMW 31 respectively.

First host 30A and second host 30B first register to server 35, andfirst host 30A sends a DNS query packet to server 35 to obtain theprivate IP address of second host 30B.

When first host 30A and second host 30B try to establish a TCPconnection, first host 30A sends a TCP_SYN packet with private IPaddress/port of second host 30B to second host 30B, as indicated bylabel 801. TMW 31 keeps the TCP_SYN packet and generates a new UDPpacket to server 35. Server 35 sends a “Lookup( ) packet and uses theprivate IP address of second host 30B to inquire lookup database 81 forthe IP address of second NAT device 33B, as indicated by label 802. TheUDP packet includes the Cport, IP address, port and TCP sequence numberof first host 30A and second host 30B.

According to the private IP address of second host 30B, server 35inquires lookup database 81 of the IP address of second NAT device 33B,and replies to TMW 31 of first host 30A, as indicated by label 803.

Server 35 generates a new connection request packet and transmits to TMW31, as indicated by label 804. The connection request packet includesthe IP address of second host 30B, Cport and IP address/port of firsthost 30A, IP address of first NAT device 33A, and TCP packet sequencenumber. After TMW 31 receives connection request packet from server 35,a TCP_SYN packet is solicited to the TCP layer of second host 30B, asindicated by label 805.

On the other hand, after receiving the IP address of second NAT device33B replied from server 35 (step 803), TMW 31 of first host 30A releasesthe original TCP_SYN packet, changes the private IP address of secondhost 30B in the TCP_SYN packet to IP address of second NAT 33B, andsends a low TTL TCP_SYN packet “TCP_SYN(X, low TTL)”. In this manner,the IP mapping table of first NAT device 33A records the IP addressmapping from first host 30A to second NAT device 33B. In other words, aTCP hole is punched on first NAT device 33A, as indicated by label 806.

After the TCP layer of second host 30B receives the TCP_SYN packet (step805), the AP layer of second host 30B will send a TCP_SUNACK packet tofirst host 30A, as indicated by label 807. To transmit TCP_SYNACK packetcorrectly, TMW 31 of second host 30B changes the private IP address offirst host 30A in the TCP_SYNACK packet to the IP address of first NATdevice 33A, and transmits to first NAT device 33A. Similarly, the IPmapping table of second Nat device 33B also records the IP addressmapping from second host 30B to first Nat device 33A; i.e., punching aTCP hole on second NAT device 33B.

After TMW 31 of first host 30A receives a TCP_SYNACK packet, TMW 31changes the IP address of second NAT device 33B in the TCP_SYNACK packetto the private IP address of second host 30B, and transits to the TCPlayer of first host 30A, as indicated by label 808.

When the application programs of the AP layer of first host 30A receivesthe TCP_SYNACK packet from second host 30B, first host 30A sends aTCP_ACK packet to second host 30B to accomplish the TCP 3-way handshakeprotocol and establish TCP connection and acknowledgement, as indicatedby label 809. Therefore, when the network packets are transmitted in TCPmode, the transmitting host and the receiving host may accomplish theTCP 3-way handshake to establish the connection acknowledgement.

FIG. 9 shows a schematic view of an exemplary operation of a NAT systemapplied in UDP mode, consistent with certain disclosed embodiments.Referring to FIG. 9, in UDP data transmission mode, first host 30A andsecond host 30B register to server 35, respectively, and first host 30Auses the domain name 30B of second host 30B to inquire server to obtainthe private IP address of second host 30B.

First host 30A first sends a UDP packet with private IP address ofsecond host 30B. TMW 31 will look up the internal port table 92A, i.e.,issuing “Port Lookup( )” to compare the private IP address/port ofsecond host 30B and port table 92A and replies the result to TMW 31,i.e., returning “Lookup reply( )” to TMW 31, as indicated by label 901.

If port table 92A has no record of the private IP address/port of secondhost 30B, TMW 31 will generate a “UDP Lookup request( )” packet andtransmit to server 35 for inquiring lookup database 91 of the IP addressof second NAT device 33B; i.e., sending a “Lookup( )” packet andreplying the result “reply( )” to server 35, as indicated by label. TheUDP Lookup request( ) packet includes the IP address/port of first host30A and second host 30B, and the Cport of first host 30A.

In the step indicated by 902, if the related information of second host30B is correctly queried, server 35 will execute the following twotasks. The first is to generate a “UDP Request( )” to ask second host30B to generate a UDP packet with the IP address of first NAT device 33Aas the destination address, as indicated by label 903. The UDP Request() packet includes the IP address/port and Cport of first host 30A, theIP address of first NAT device 33A, and the port of second host 30B.

The other task is for server 35 to reply the IP address of second NATdevice 33B to first host 30A; i.e., replying the “UDP Lookup reply( )”to server 35, as indicated by label 904.

After receiving the UDP Request ( ) packet, TMW 31 of second host 30Bsends a low TTL UDP packet. Thereby, the IP mapping table of second NATdevice 33B records the IP address mapping from second host 30B to firstNAT device 33A. In other words, a UDP hole is punched on second NATdevice 33B, as indicated by label 905.

In the step indicated by 904, after receiving the UDP Lookup reply( )packet replied from server 35, TMW 31 of first host 30A releases theoriginal UDP packet, changes the destination address in the UDP packetfrom the private IP address of second host 30B to IP address of secondNAT 33B, and transmits to second host 30B. Thereby, the IP mapping tableof first NAT device 33A records the IP address mapping from first host30A to second NAT device 33B. In other words, a UDP hole is punched onfirst NAT device 33A, as indicated by label 906.

After TMW 31 of first host 30A receives a UDP packet from first host30A, because the IP mapping table of second NAT device 33B has recordedthe IP address mapping from second host 30B to first NAT device 33A, TMW31 changes the source address in the UDP packet from IP address of firstNAT device 33A to the private IP address of first host 30A, andtransmits to the TCP layer of second host 30B, as indicated by label907. The application layer of second host 30B may then expect to receivethe UDP packets from first host 30A.

In the step indicated by 901, if port table 92A already recorded the IPaddress of second NAT device 33B, then the step indicated by 907 isexecuted directly.

FIG. 8 and FIG. 9 shows the disclosed embodiments may be applicable toTCP mode and UDP mode respectively, and describe how the two hostsbehind two different NAT devices able to connect and communicatedirectly without rewriting the applications on the NAT device and host.

In the disclosed embodiments of the present invention, either first NATdevice 33A or second NAT device 33B may be a stand-alone server or aserver cluster, or even a module operating in a host. In other words,the first Nat device and the second NAT device may be a NAT unit withmany possible implementations, such as a single server, a server clusteror a module on a host.

Although the present invention has been described with reference to theexemplary disclosed embodiments, it will be understood that theinvention is not limited to the details described thereof. Varioussubstitutions and modifications have been suggested in the foregoingdescription, and others will occur to those of ordinary skill in theart. Therefore, all such substitutions and modifications are intended tobe embraced within the scope of the invention as defined in the appendedclaims.

1. A network address translation (NAT) system, comprising: a server,said server installed in a public network, receiving registration ofeach of a plurality of hosts and recording related information of eachof said plurality of hosts and at least a NAT device; and a transparentmiddleware (TMW) that is executed on each said host respectively; when afirst host behind a first NAT device trying to establishing connectionwith a second host behind a second NAT device, said TMW querying throughsaid server to lookup IP address mapping from said first host to saidsecond NAT device, and IP address mapping from said second host to saidfirst NAT device; and accomplishing supporting said connectionestablishment between said first host and said second host.
 2. Thesystem as claimed in claim 1, wherein said server records domain name ofeach of said plurality of hosts, and IP address mapping from each ofsaid plurality of hosts to a corresponding NAT device.
 3. The system asclaimed in claim 1, wherein said first NAT device is the same as saidsecond NAT device, and said first host and said second host are hostsoutside and behind said first NAT device, respectively.
 4. The system asclaimed in claim 1, wherein said first NAT device is different from saidsecond NAT device, and said first host and said second host are hostsbehind said first NAT device and said second NAT device, respectively.5. The system as claimed in claim 1, wherein each of said plurality ofhosts is a notebook computer, personal computer, server, or anycombination of the above.
 6. The system as claimed in claim 1, whereinsaid TMW is installed at the kernel level or the user level on each ofsaid plurality of hosts.
 7. The system as claimed in claim 1, whereinsaid server further includes a registry database for storing registryinformation of each of said plurality of hosts and related informationwith said at least a NAT device.
 8. The system as claimed in claim 1,said system is applicable to data communication in transmission controlprotocol mode or user datagram protocol mode.
 9. The system as claimedin claim 1, wherein said TMW on said first host and said second hostrespectively records IP address mapping from said first host to saidsecond NAT device, and IP address mapping from said second host to saidfirst NAT device.
 10. The system as claimed in claim 1, wherein saidfirst NAT device and said second NAT device are transparent NAT devices.11. The system as claimed in claim 1, wherein said first NAT device andsaid second NAT device are NAT units, and each of said NAT units isimplemented with a single server, a server cluster, or a module on ahost.
 12. A method for connecting hosts behind NAT devices, comprising:a transmitting host and a receiving host registering through atransparent middleware (TMW) to a registry server; said transmittinghost sending a request to said server for private address information ofsaid receiving host; said server replying said private addressinformation of said receiving host to said transmitting host; saidtransmitting host requesting to said server for public addressinformation of NAT device of said receiving host; said server replyingsaid public address information of said receiving NAT device to saidtransmitting host; said server replying IP address information of saidreceiving NAT device to said transmitting host; and said TMWtransmitting IP address information of NAT device of said transmittinghost to said receiving host.
 13. The method as claimed in claim 12, saidmethod is applicable to data transmission in transmission controlprotocol (TCP) mode or user datagram protocol (UDP) mode.
 14. The methodas claimed in claim 13, wherein in said TCP data transmission mode, saidtransmitting host and said receiving host accomplish a 3-way handshakeprotocol for establishing connection acknowledgement.
 15. The method asclaimed in claim 12, wherein said transmitting host requests to saidserver for IP address lookup of said receiving host through a domainname of said receiving host.
 16. The method as claimed in claim 14,wherein said 3-way handshake protocol further includes: saidtransmitting host transmitting a sequence number and a low time to live(TTL) synchronization (SYN) packet to said receiving NAT device; saidtransmitting host sending a request packet with said sequence numberthrough said server to said receiving host; according to said sequencenumber, said receiving host generating another SYN packet with saidsequence number and transmitting through said TMW to TCP layer of saidreceiving host; application layer of said receiving host transmitting asynchronization acknowledge (SYNACK) packet to said transmitting host;and said transmitting host replying an acknowledge (ACK) packet to saidreceiving host.
 17. The method as claimed in claim 13, wherein said stepof said host registering to said registry server further includes:transmitting registration related information of said host to saidserver; said server checking the uniqueness of said registration relatedinformation of said host; and said server replying result ofregistration success or registration failure to said host.
 18. Themethod as claimed in claim 17, wherein said registration relatedinformation of said host at least includes corresponding private IPaddress, contact connection port and domain name of said host.
 19. Themethod as claimed in claim 17, wherein said server checks the uniquenessof said registration related information of said host through a registrydatabase.
 20. The method as claimed in claim 17, wherein when saidresult is registration failure for said host, said host randomly selectsanother contact connection port and repeats said registry step untilsaid server confirms the uniqueness of said registration relatedinformation of said host.
 21. The method as claimed in claim 12, whereinsaid step of said transmitting host requesting for said IP addressinformation of said receiving NAT device further includes: saidtransmitting host transmitting a packet with domain name of saidreceiving host to said server; said server sending a query packet withsaid domain name of said receiving host to a registry database; if saidregistry database having no record of said domain name of said receivinghost, said server sending a packet with said domain name of saidreceiving host to another domain name system (DNS) for lookup; and ifsaid registry database having record of said domain name of saidreceiving host, said server replying said receiving host information tosaid transmitting host, and recording related information of saidtransmitting host and receiving host in an IP query database.
 22. Themethod as claimed in claim 21, wherein said receiving host informationreplied by said server at least includes private IP address and port ofsaid receiving host.
 23. The method as claimed in claim 21, wherein saidrelated information of said transmitting host and receiving hostrecorded in said IP query database at least includes private IPaddress/contact connection port of said transmitting host, IP address ofsaid transmitting NAT device, private IP address/contact connection portof said receiving host, and IP address of said receiving NAT device. 24.The method as claimed in claim 21, said method is a transparent networkaddress translation method.
 25. The method as claimed in claim 12,wherein said private address is an IP address.
 26. The method as claimedin claim 12, wherein said receiving NAT device and said transmitting NATdevice are NAT units, and each of said NAT units is a single server, aserver cluster or a module on a host.